{
	"id": "b46df386-983a-42bd-8c55-adff22c72156",
	"created_at": "2026-04-06T00:18:45.769097Z",
	"updated_at": "2026-04-10T03:20:35.591174Z",
	"deleted_at": null,
	"sha1_hash": "8b1d8deccb936b4c98584570ced97184d40b28d2",
	"title": "LevelBlue - Open Threat Exchange",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 302240,
	"plain_text": "LevelBlue - Open Threat Exchange\r\nBy PetrP.73\r\nArchived: 2026-04-02 12:02:04 UTC\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Matryoshka\r\nPage 1 of 17\n\nFake WinRAR downloads hide malware behind a real installer\r\nDomain: 3\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Matryoshka\r\nPage 2 of 17\n\nA recent discovery by web researchers has highlighted a malicious campaign involving fake WinRAR installers\r\nbeing distributed from various Chinese websites. The fraudulent installer, named \"1winrar-x64-713scp1.exe,\"\r\nmasquerades as the legitimate WinRAR application, which is a common method used to lower user suspicion. The\r\npresence of Chinese characters that translate to \"install\" suggests that these links are aimed at deceiving users into\r\ndownloading the malware under the guise of legitimate software. This tactic of embedding malware within a\r\nlegitimate installer can facilitate a range of cyber attacks, as users often trust well-known applications like\r\nWinRAR. This campaign emphasizes the importance of scrutinizing software downloads, as attackers frequently\r\nemploy social engineering techniques to trick users into compromising their systems.\r\n160 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Matryoshka\r\nPage 3 of 17\n\nFake WinRAR downloads hide malware behind a real installer\r\nDomain: 3\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Matryoshka\r\nPage 4 of 17\n\nA recent discovery by web researchers has highlighted a malicious campaign involving fake WinRAR installers\r\nbeing distributed from various Chinese websites. The fraudulent installer, named \"1winrar-x64-713scp1.exe,\"\r\nmasquerades as the legitimate WinRAR application, which is a common method used to lower user suspicion. The\r\npresence of Chinese characters that translate to \"install\" suggests that these links are aimed at deceiving users into\r\ndownloading the malware under the guise of legitimate software. This tactic of embedding malware within a\r\nlegitimate installer can facilitate a range of cyber attacks, as users often trust well-known applications like\r\nWinRAR. This campaign emphasizes the importance of scrutinizing software downloads, as attackers frequently\r\nemploy social engineering techniques to trick users into compromising their systems.\r\n160 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Matryoshka\r\nPage 5 of 17\n\nSnake Evolution\r\nFileHash-MD5: 27 | FileHash-SHA1: 27 | FileHash-SHA256: 35 | Hostname: 3\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Matryoshka\r\nPage 6 of 17\n\nThe Snake Keylogger, also referred to as the 404 Keylogger, is a malware variant categorized primarily as a\r\nkeylogger but has evolved to include stealer functionalities, enhancing its capabilities significantly since its\r\nemergence in 2019. Analysts suggest that a considerable portion of its source code may be derived from the\r\nMatiex malware, although there is debate over the order of their development, with some claiming 404 was the\r\noriginal and that Matiex subsequently leveraged its code.\r\n160 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Matryoshka\r\nPage 7 of 17\n\nMicrosoft Office Russian Dolls\r\nCVE: 1 | FileHash-MD5: 1 | FileHash-SHA1: 1 | FileHash-SHA256: 2\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Matryoshka\r\nPage 8 of 17\n\nRecent trends in cyber threats have seen a resurgence in malicious Microsoft Office documents, particularly\r\nleveraging vulnerabilities that allow for the exploitation of these files. One notable technique involves the use of\r\nRich Text Format (RTF) documents that target CVE-2017-11882. This vulnerability relates to a specific security\r\nflaw in Microsoft Office that enables attackers to execute arbitrary code through crafted RTF files. Despite a\r\nreduction in malicious Office documents due to Microsoft's implementation of stricter rules to prevent the\r\nautomatic execution of VBA macros, threat actors continue to utilize these RTF documents effectively. This attack\r\nvector reflects a broader pattern of adapting tactics in response to security enhancements in software applications.\r\nThe use of RTF exploits serves as a reminder of the ongoing risks posed by vulnerabilities within widely-used\r\napplications, illustrating how cyber attackers can creatively circumvent protective measures.\r\n160 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Matryoshka\r\nPage 9 of 17\n\n258 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Matryoshka\r\nPage 10 of 17\n\n840 Subscribers\r\nOriginal State\r\nCIDR: 1 | CVE: 1 | FileHash-MD5: 321 | FileHash-SHA1: 319 | FileHash-SHA256: 1242 |\r\nSSLCertFingerprint: 1 | URL: 712 | Domain: 365 | Email: 5 | Hostname: 560\r\n218 Subscribers\r\n224 Subscribers\r\nSoftware Packing | Mirai • Emotet • Pottieq | Mercer Museum Library\r\nCIDR: 1 | CVE: 1 | FileHash-MD5: 311 | FileHash-SHA1: 309 | FileHash-SHA256: 1044 |\r\nSSLCertFingerprint: 1 | URL: 230 | Domain: 260 | Email: 4 | Hostname: 429\r\nAttacking Mercer Museum Research Library. Bucks County, Pa. Malicious redirect to 7034.sydneyplus.com.\r\nAttacks Nelson- Stratton and Brashears Families historical Doylestown presence. Thor 4 years ago Signature\r\nMatch - THOR APT Scanner Detection ============================ Rule:\r\nMAL_Unknown_Malware_May19_1 Rule Set: Malware 1 Rule Type: VALHALLA rule feed only Description:\r\nDetects unspecified malware noticed in 2019 Reference: Internal Research Author: Florian Roth Score: 75\r\nDetection Snapshot ============================ Detection Timestamp: 2019-10-30 17:30 AV\r\nDetection Ratio: 23 / 68 #unknown #malware1 #mal_unknown_malware_may19_1 More information:\r\nhttps://www.nextron-systems.com/notes-on-virustotal-matches/ Please report interesting findings via Twitter\r\n@thor_scanner\r\n218 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Matryoshka\r\nPage 11 of 17\n\nVenus Ransomware\r\nFileHash-MD5: 4 | FileHash-SHA1: 4 | FileHash-SHA256: 4 | Email: 15\r\nExposed Microsoft Windows Remote Desktop Services were targeted by variants from the Venus ransomware\r\nfamily. The malware terminates processes, disables Data Execution Prevention, and deletes event logs and\r\nShadow Copy Volumes. A \"goodgamer\" file marker is added to the end of infected files while the \".venus\"\r\nextension is appended after encryption.\r\n240 Subscribers\r\n266 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Matryoshka\r\nPage 12 of 17\n\n61 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Matryoshka\r\nPage 13 of 17\n\nThreat Profile: RedLine Infostealer\r\nFileHash-MD5: 308 | FileHash-SHA1: 308 | FileHash-SHA256: 307 | URL: 54 | Domain: 7 | Email: 1 |\r\nHostname: 10\r\ninformation stealer, named RedLine Stealer by the author, was identified being delivered through spam email\r\ncampaigns, the malware is offered for sale on Russian dark web forums and as a tiered subscription allowing\r\nthreat actors to use the information stealer, subscribe at different costs and purchase different access levels. In\r\naddition to being a password stealer, RedLine has the capabilities to steal login information, autocomplete data,\r\npasswords, and credit cards information from browsers.\r\n240 Subscribers\r\nThreat Profile: RedLine Infostealer\r\nFileHash-MD5: 308 | FileHash-SHA1: 308 | FileHash-SHA256: 307 | URL: 54 | Domain: 7 | Email: 1 |\r\nHostname: 10\r\ninformation stealer, named RedLine Stealer by the author, was identified being delivered through spam email\r\ncampaigns, the malware is offered for sale on Russian dark web forums and as a tiered subscription allowing\r\nthreat actors to use the information stealer, subscribe at different costs and purchase different access levels. In\r\naddition to being a password stealer, RedLine has the capabilities to steal login information, autocomplete data,\r\npasswords, and credit cards information from browsers.\r\n240 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Matryoshka\r\nPage 14 of 17\n\nThreat Research | FireEye Inc\r\nFind out more about FireEye.com, the world's leading cyber security company, which provides security services to\r\nmore than 1.5 million customers across the globe, and offers a wide range of products and services.\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Matryoshka\r\nPage 15 of 17\n\n17 Subscribers\r\nA new way to encrypt CC server URLs | Deutsche Telekom\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Matryoshka\r\nPage 16 of 17\n\nA look at some of the highlights of Telekom’s work-life, as Thomas Barabosch looks back at how the German\r\ntelecoms giant has evolved in the last five years. The malware downloader Smokeloader is one of the oldest\r\nmalware families that is still in use today. A malware downloader is a typically small program that fingerprints a\r\ntarget system, downloads one or more additional malicious programs and executes them. Malware downloader\r\nforms part of the cybercrime ecosystem: there are cybercriminals that offer to distribute malware for other\r\ncybercriminals. They sell a number of installations for a couple of dollars, depending on several factors such as\r\nthe geographic position of the target and its operating system.\r\n96 Subscribers\r\n1,098 Subscribers\r\nIndicators Search\r\nShow expired indicators\r\nWe've found 114 indicators\r\nSource: https://otx.alienvault.com/browse/pulses?q=tag:Matryoshka\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:Matryoshka\r\nPage 17 of 17\n\nMicrosoft Office Russian https://otx.alienvault.com/browse/pulses?q=tag:Matryoshka Dolls  \nCVE: 1 | FileHash-MD5: 1 | FileHash-SHA1: 1 | FileHash-SHA256: 2\n  Page 8 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://otx.alienvault.com/browse/pulses?q=tag:Matryoshka"
	],
	"report_names": [
		"pulses?q=tag:Matryoshka"
	],
	"threat_actors": [],
	"ts_created_at": 1775434725,
	"ts_updated_at": 1775791235,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8b1d8deccb936b4c98584570ced97184d40b28d2.pdf",
		"text": "https://archive.orkl.eu/8b1d8deccb936b4c98584570ced97184d40b28d2.txt",
		"img": "https://archive.orkl.eu/8b1d8deccb936b4c98584570ced97184d40b28d2.jpg"
	}
}